Mark Hofman posted an interesting assessment of the weaknesses found in most organizations during vulnerability and penetration testing. He asserts that some findings are so common that an analyst can probably start his or her report before taking the first look at the client's network. Hofman provides the following as a first pass at what the pre-assessment assessment report might look like.

Fill company name in here does not have an effective patching process in place. The servers examined require numerous patches, some going back as far as 2000. Workstations likewise require patching to be brought up to date.

Servers are not hardened or the SOE is not being enforced,

A number of test/training/generic accounts exist with weak passwords such as the account name, password, day of the week, .... Access provided to these accounts is permissive and provides access to confidential information.

The SA account on the MSSQL server has a blank/weak password allowing the creation of domain administrator accounts (game over).

Hofman is inviting additions to this list at the link above. I agree that it seems many organizations pass over the fundamentals when building a security framework. It's easy to miss weaknesses in LDAP access while focusing on IPS, firewall, or other types of infrastructure technologies. And how many organizations have actually taken the time to assess the vulnerabilities extant in their SNMP configurations? Hofman's list provides visibility into some of the activities and configurations required to create the foundation for a layered security framework. The basics are not always "sexy" and they are often viewed as mundane and tedious. But they are essential components in a strong network defense.

Some name

Independent security researcher and IT professional with over 36 years of experience in programming, network engineering and security. Author of four books (Just Enough Security, Microsoft Virtualization, Enterprise Security: A Practitioner's Guide, and Incident Management and Response Guide) and various papers on security management.